tiCrypt ConnectProductsSelf-contained desktop application built on Wails that serves the tiCrypt frontend locally as either a standalone embedded browser or an external browser session. Authenticates all VM traffic, establishes secure TLS tunnels between the user's computer and their VMs (including RDP, terminal, file explorer, and SFTP), and provides a local filesystem bridge to the Vault via SSHFS. New features such as external SFTP support are added exclusively to the Connect Application rather than the browser version.tiCrypt AuditProductsSeparately deployed audit platform that ingests secure logs from a tiCrypt deployment for compliance reporting, incident investigation, and system monitoring. Provides pre-built and custom queries authored in a TOML-based query builder with SQL generation, parameterized queries with autocomplete, severity-based alert monitoring (Info through Critical), data export to Excel, and chart visualization. Features role-based access control separating admin and standard user capabilities, API access tokens for programmatic integration, and object detail inspection for users, teams, files, drives, VMs, and IP addresses.ticrypt-restBackend ServicesHTTPS entry point for all client requests, reverse-proxied behind Nginx as a dedicated virtual domain with its own TLS certificate. Validates JSON request and response payloads, routes requests to internal services via Akka TCP, and exposes both an external-facing endpoint (port 443) for the tiCrypt frontend and an internal endpoint used by compute nodes for status reporting and VM registration. Also serves as the token-based API gateway for programmatic access. ticrypt-authBackend ServicesAuthentication, authorization, and global coordination service that supervises all other backend services via Akka TCP connections with periodic health pings. Manages user accounts, session lifecycle, MFA certificate validation, key escrow operations (using a site-key chain of trust with sharded recovery keys), and split credentials that harden private keys by storing the AES IV and salt server-side so neither the client nor the server alone can recover a user's private key. Also enforces XSS attack response policies including automatic session termination and account locking. ticrypt-file-managerBackend ServicesBackend service managing encrypted file and directory operations in the tiCrypt Vault. File content is broken into independently encrypted 8 MB chunks (each stored as 8 MB + 64 bytes on disk, where the extra 64 bytes contain the AES initialization vector). All metadata, including directory entries, access information, and decryption keys, is stored in MongoDB rather than on the file system.ticrypt-storageBackend ServicesLow-level storage backend managing the on-disk directory structure where encrypted Vault file chunks are stored. Chunks are organized in a directory tree keyed by file ID, configured via a single path parameter, and visible only to the tiCrypt backend (not to VM hosts). Because decryption keys are held exclusively by users, the raw chunk files can be replicated to unencrypted backups or cloud storage without compliance risk.ticrypt-vmBackend ServicesBackend service managing the full VM lifecycle across all compute hosts via Libvirt over SSH (using an injected RSA-2048 public key). Organizes VMs into realms, each an independent execution environment with its own Libvirt storage pools (bricks, drives, and volumes) on a distributed file system. Uses a configurable cost-function scheduler that combines curves for VM count, vCPU, memory, and per-device-type costs to select the lowest-cost host. Supports Slurm integration for batch processing through a dual-scheduler architecture. ticrypt-proxyBackend ServicesSecure tunnel mediator between users and VMs, listening on ports 6000-6100 externally and forwarding to the port range 6000-6254 on VM hosts. Replicates traffic between two WebSocket connections (one from the user's frontend, one from ticrypt-vm-controller inside the VM) but cannot read session contents because the payload is encrypted end-to-end using RSA-2048 co-authentication and a Diffie-Hellman negotiated session key. Proxy endpoints are IP-pinned to the requesting client's address.ticrypt-loggerBackend ServicesCentralized logging service that records all system activity into a tamper-evident, SHA-256 hash-chained audit trail. A primary copy is written to a local immutable append-only file, and a second copy is streamed over TCP port 25000 to tiCrypt Audit for processing in ClickHouse. Supports configurable log rotation and multiple output drivers (file and TCP). All backend services depend on this service for audit integrity.ticrypt-statsBackend ServicesBackend service collecting system statistics and usage metrics across all tiCrypt components.ticrypt-notificationsBackend ServicesService handling user and system notification delivery within the tiCrypt platform.ticrypt-maintenanceBackend ServicesBackground service performing automated maintenance tasks, primarily the account locker, which periodically scans for user accounts that have been inactive beyond a configurable threshold and automatically locks them. Scan frequency and inactivity period are both administrator-configurable via HOCON.ticrypt-sftpBackend ServicesSFTP-based data ingestion service deployed outside the secure infrastructure perimeter, listening on port 2022. Supports both administrator-provisioned SFTP ingestion and user-created Inbox access points that generate sender-specific SFTP credentials for external collaborators. Requires a network path to the tiCrypt backend REST interface but has no access to the internal network or compute nodes.ticrypt-mailboxBackend ServicesWeb-based file submission ingress service for external collaborators, deployed outside the security perimeter with only a one-way network path to ticrypt-rest. Files uploaded through the browser or CLI are encrypted with the receiving tiCrypt user's public key so only the intended recipient can decrypt them. The system auto-locks on detection of impersonation or malicious file patterns. Requires its own Nginx virtual domain and TLS certificate.ticrypt-allowedlistBackend ServicesService controlling VM outbound network access to external licensing servers. Manipulates iptables/ipset firewall rules and DNS replies on the backend host so that, unless a specific IP-and-port mapping is configured, all outgoing VM traffic remains blocked. Works in conjunction with the tiCrypt frontend to provide a management interface and requires SuperAdmin authorization to configure.ticrypt-host-controllerBackend ServicestiCrypt agent running on each compute node that receives Global Slurm jobs (via the job submission script) and starts secure VMs for each allocated job. Notifies the tiCrypt backend of VM creation so the VM can be handed over to ticrypt-vm-controller for provisioning. Manages the local job-tracking database and is being extended to support bare-metal Apptainer/Singularity containers as an alternative to VMs for MPI workloads requiring native network performance.tiCrypt-host-managerBackend ServicesComponent coordinating between the Global Slurm scheduler and the tiCrypt backend for batch processing. In tiCrypt's dual-scheduler architecture, it bridges Global Slurm (which handles cluster-wide resource allocation, quotas, and fairness but never sees job content) with the secure Local Slurm instances that execute jobs inside encrypted VM enclaves.ticrypt-driveimportBackend ServicesService supporting the External Drive Builder workflow, in which an administrator creates and populates a virtual drive outside of tiCrypt, then seals it using a manifest file that encrypts the drive and binds decryption and mounting rights to a specified user. The sealed drive is moved into the configured Libvirt drive pool and imported into tiCrypt via the manifest. Designed for large-scale dataset migrations (5 TB+).ticrypt-setupBackend ServicesAnsible-based installation and configuration tool and the only supported deployment method for tiCrypt backends. Distributed as a downloadable archive containing Ansible playbooks, configuration templates (inventory.ini for node inventory and ticrypt.yml for deployment parameters), and the ticrypt-setup.sh installer script. Targets both backend and worker nodes with configurable SSH access, and changes require re-running ticrypt-setup.sh to take effect.tiauditAuditMain audit service that hosts the audit interface, reporting engine, and query functionality for tiCrypt Audit. Provides the web-based dashboard for administrators and compliance teams.tiaudit-loggerAuditBackground service that listens for new log entries pushed from the tiCrypt backend over TCP port 25000 and stores them in ClickHouse for columnar analysis.tiaudit-log-uploaderAuditUtility for backfilling historical audit logs during initial deployment or recovery scenarios. Imports archived log data into ClickHouse so the full audit trail is available for queries.TeamResourcesResource constraint group that governs what users can consume in tiCrypt. Teams define total and per-user quotas for VM cores, memory, storage pool allocations, and devices. Every drive, VM configuration, and running VM is associated with a team, and users removed from all teams are deactivated. Teams can be assigned to Sub-Admins, and removing team quotas or setting them to zero grants unlimited resource access.Team MembershipsManagementManagement table tracking individual user memberships within teams, enabling bulk management of team composition, user access to team-associated resources, and per-user quota enforcement.